Docker process still runs under root, so if container escapes it, it may be bad for users. Even if it runs under your user, there is a risk for it to access more information than allowed.

There are some notes I made year ago while wotking with CyberFund on CyberNode concept — which is essentially a toolkit to let people run nodes easily and as securely as possible.

abitrolly/cybernode-builder

One of the conventions was to provide `/cyberdata` mount with different folders and run Docker under cyber user. Ideally each container could run with its own user to prevent access to sensitive data if one container is broken.

May be a little paranoid, but losing private keys is not a joke.